PERSONAL DATA PROTECTION CONFIDENTIALITY AGREEMENT

PARTIES

Mila Teneva
II. BUYER

SUBJECT

This agreement concerns the application and continuation of all legal relationships in the context of personal data in accordance with the Law No. 6698 on the Protection of Personal Data, as well as the determination of rights and obligations regarding the protection of personal data transferred in all processes related to any commercial relationship, business relationship, or collaboration that the parties may enter into, and all business and services.

The parties accept that, depending on their activities, they may act as data controllers and/or data processors.

DEFINITIONS

Personal Data refers to any information relating to an identified or identifiable natural person.

Data Subject refers to the natural person whose personal data is processed.

Special Categories of Personal Data refers to information about individuals’ race, ethnicity, political opinion, philosophical belief, religion, sect, or other beliefs, clothing, membership in associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, as well as biometric and genetic data.

Processing of Personal Data refers to any operation performed on personal data, whether or not by automated means, such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of the data.

Data Processor refers to the natural or legal person who processes personal data on behalf of the data controller under their authority.

Explicit Consent refers to the consent given based on information, freely expressed regarding a specific matter.

Recipient Group refers to the category of natural or legal persons to whom personal data is transferred by the data controller.

VERBIS refers to the Data Controllers Registry Information System.

Personal Data Processing Inventory refers to the inventory created by data controllers based on their business processes, detailing personal data processing activities, the purposes and legal grounds of personal data processing, the categories of data, the recipient groups, and the maximum retention periods required for personal data, as well as the security measures taken for data protection.

For other definitions and abbreviations, the definitions and abbreviations in the Law No. 6698 on the Protection of Personal Data, as well as in the regulations, communiques, decisions, and guidelines issued by the Personal Data Protection Authority, are valid.

1. The parties agree and undertake to comply with the “Right to Privacy” and “Protection of Personal Data” stated in Article 20 of the Constitution, as well as the provisions of the Law No. 6698 on the Protection of Personal Data, related regulations, and legislation, to transfer, store, and prevent unauthorized access to personal data by taking all necessary administrative and technical measures in accordance with the law.

2. The data processor can transfer personal data for the purposes specified in the policy, in accordance with the Law on the Protection of Personal Data (KVKK) and the applicable legislation. If personal data is to be transferred to a third party, the data processor must inform the data controller in a verifiable manner and obtain their consent. The contract between the data processor and the third parties must include at least the provisions of this agreement.

3. The parties undertake to act in accordance with the principles of diligence, loyalty, accuracy, and honesty in the mutual transfer and processing of personal data in accordance with the Law on the Protection of Personal Data and relevant legislation, as well as in line with the policies of both parties.

4. Each party will be directly responsible for any actions or behaviors that violate the provisions of this confidentiality agreement by their own employees, associates, parent or affiliated companies, contractors, suppliers, or their employees and associates. The termination of the employee’s job or the end of cooperation with the contractor or supplier does not relieve the responsible party of its obligations.

5. In the event of unauthorized access to the personal data subject to the contract or if the personal data becomes accessible to third parties in violation of the contract, the data processor shall immediately notify the data controller of the violation and provide all necessary information, documents, and support to minimize the damage.

6. Upon the termination of the agreement, or when the personal data is no longer required to be processed, or after the elimination of the reasons requiring processing, the personal data obtained under the agreement will be deleted or destroyed in accordance with the legislation and in line with the retention policies specified in the legislation.

7. In case of a change in the legislation that may affect the fulfillment of the commitments of the data processor under the agreement, the data processor agrees to immediately notify the data controller, and the data controller has the right to suspend the data transfer and terminate the agreement.

8. If the data subject requests the deletion of the personal data processed and transferred, the data controller shall notify the data processor of the request, and the data processor must delete the transferred personal data. If the data processor does not delete the personal data despite being notified by the data controller, the responsibility will lie with the data processor.

9. The parties are responsible for taking the necessary precautions to prevent unauthorized access, processing, and use of the personal data for purposes other than those specified. Each party is obliged to fulfill all legal, administrative, and technical measures required by the law, related regulations, and the Personal Data Protection Board.

10. In the event of changes in the relevant legislation, the parties shall make the necessary amendments to this agreement and/or the personal data protection policies as soon as possible. The amended sections will be implemented in accordance with the new legislation on its effective date.

11. During the contract period or after its termination, if there are any personal data violations by the person or persons carrying out the action, the following may apply:

    • If a crime is committed under Articles 135-140 of the Turkish Penal Code (TCK), a report may be filed,
    • Compensation liability may arise under Articles 123, 124, and 125 of the Turkish Civil Code (TMK),
    • In accordance with Article 11 of the Law No. 6698, if the data controller is obliged to pay compensation to the relevant person, the data processor may be held liable for reimbursement.

12. The parties may not disclose the personal data processed under this agreement to any person or persons other than those required by the Personal Data Protection Law, relevant regulations, and this agreement. This obligation continues even after the termination of the agreement.

Mila Teneva – BUYER